Springer on Rid, 'Cyber War Will Not Take Place'

Thomas Rid
Paul Springer

Thomas Rid. Cyber War Will Not Take Place. Oxford: Oxford University Press, 2017. 232 pp. $14.95 (paper), ISBN 978-0-19-066071-0.

Reviewed by Paul Springer (Air University, Air Command and Staff College) Published on H-War (December, 2018) Commissioned by Margaret Sankey (Air War College)

Printable Version: http://www.h-net.org/reviews/showpdf.php?id=52150

Thomas Rid is a professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies. He previously served as reader in War Studies at King’s College London. In 2013, he published Cyber War Will Not Take Place, making the argument that because war requires an element of violence, a cyber attack by definition cannot be an act of war. This concept is in keeping with the traditional Clausewitzian definition of war—and so long as that definition remains the norm, the argument is hard to refute. However, there are a number of potential consequences for any cyber attack, to include some form of physical retaliation outside of the digital domain.

For the author, the term “cyber war” is a terribly misleading concept. Instead, he believes that cyber operations are most useful for three key activities, all of which are often associated with war, but are not considered acts of war on their own. Specifically, cyber attacks are particularly effective in performing acts of espionage, sabotage, and subversion. While all of these are relatively common activities in the intercourse of states, they have all also been cited as viable causes for war, and thus, it is possible that Rid is making a distinction without a difference.

Rid correctly notes that even though a cyber conflict cannot be considered a war per se, it still might provide the necessary triggering event for such a conflict. For Rid, then, the question of “cyber war” comes down to definitions—if war needs both force and violence, cyber attacks will not count by themselves, but they will serve as key enablers for other forms of war. Perhaps a shift in terminology will eventually prove appropriate—but perhaps Rid is right that if cyber operations allow the same effects as war without the death and destruction that normally accompany it, cyber attacks may be the ethical option for nations. Of course, this is all predicated upon accepting that states have a right to engage in espionage, sabotage, and subversion, all of which are well suited to the cyber domain.

Rid sees cyber defenses as massively favored in any cyber conflict. Offensive cyber that is destructive tends to be quickly detected due to its obvious effects, and thus is quickly countered. Defenses make repeatability of attacks unlikely by anyone, not just the original actor, and the propagation of new attack vectors is countered by the sharing of patches and defensive countermeasures. Thus, Rid tends to believe that cyber attacks, even when successful, tend to have a very short window of effect, so long as they are detected. Of course, the biggest espionage and sabotage campaigns conducted through the cyber domain belie this concept—but Rid counters that the victims should have noticed what was happening far sooner, and that they are not the norms for the domain.

The chapter on sabotage is well written, thorough, and interesting. Rid places particular emphasis, with good reason, upon the Stuxnet attack, which he is certain was the cooperative work of the United States and Israel. It illustrates the fact that cyber attacks can sometimes achieve physical effects—in this case, the destruction of Iranian centrifuges being used to enrich uranium—without the dangers of a physical attack that would definitely be classified as an act of war. While cyber sabotage by itself is not war, it is certainly a major concern, as it offers a tremendous opportunity to inflict an enormous amount of damage in exchange for a minimal investment, and to do so with relative impunity. Of course, the same is true for an individual in the forests of the western United States with a pack of matches.

The espionage chapter is also thorough and detailed, through 2013. However, because there are no updates to the original work, this book is missing many of the latest developments and specific attacks, all of which have served to demonstrate the particular dangers of cyber espionage. The same is true for the subversion discussion—and there is a lot of room for updates, especially a longer-term perspective on the Arab Spring and the rise of the Islamic State.

Rid argues that the problem of attribution is one of the fundamental hurdles when it comes to considering cyber attacks an act of war. Because proving responsibility for cyber attacks is such a thorny issue, it may be impossible to consider them overt acts of war—and a covert war is often considered an entirely different form of conflict in the twenty-first century. To prove his point, Rid provides a very complete walk-through of the major cyber attacks throughout history, until 2013. And that leads to the most frustrating aspect of this work—while it has been proclaimed by Oxford University as a “Conflict Classic,” it is already substantially out-of-date. Updating a four-year-old book might seem strange for historians—but in the cyber domain, four years is almost an eternity, and thus, this book had the potential to expand its discussion and remain a fresh examination of the specific challenges of cyber warfare. Instead, it is actually the exact same text as the 2013 book, with a seven-page epilogue and a six-page afterword. The epilogue is actually a reprint of a 2013 article from the Journal of Strategic Studies, and was written by John Stone as a refutation of an earlier Rid article from the same journal. The afterword contributes almost nothing new to the 2013 discussion—it primarily provides an explanation for why Rid does not wish to update the book. He commences the section by proclaiming his own work a classic, thus echoing the publisher’s marketing department, and clearly demonstrates his awareness of the changes that have occurred in the cyber domain in the few years since the original writing. But, demonstrating an awareness and sharing its ramifications are two different things—and as a result, the afterword reads as a list of excuses rather than anything new or noteworthy.

Because this is essentially just a reprint of the 2013 book, with a bit of extraneous (and mostly unhelpful) material tacked on at the end, there is no compelling reason to purchase this work if one already owns the earlier version. Readers interested in cyber warfare should certainly have a copy of Rid’s work on their shelf—and the lower price of this paperback version might make it more accessible to some readers, although there are plenty of used copies of the earlier work available at even lower prices. Thus, if one is seeking an argument that counteracts much of the media hyperbole regarding cyber warfare, this is a work well worth examining. But if one is seeking the latest explanation of recent cyber events, it would be best to look elsewhere.

Citation: Paul Springer. Review of Rid, Thomas, Cyber War Will Not Take Place. H-War, H-Net Reviews. December, 2018. URL: http://www.h-net.org/reviews/showrev.php?id=52150

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.

My reaction to the review of the re-issue of Rid's book Cyber War Will Not Take Place is the same as my reaction to the reviews of the original version, a few years ago: I reject the apparent assumption that cyber attacks cannot inflict actual physical destruction and cause actual violent deaths.
Computerized systems now control a lot of hardware in the world, the malfunctioning of which could cause vehicles to crash, fires to start, and so forth. Some of the computer-controlled hardware is weaponry equipped with explosive warheads.
The notion that every nation using such systems will have computer security personnel who are competent enough, and careful enough, and spread their attentions widely enough across all relevant systems, that no enemy will ever exploit some vulnerability to launch a cyber attack causing significant amounts of actual physical destruction and actual deaths, seems to me rather unlikely.